Microsoft ends 2008 with six 'critical' patches

Security fixes released in Patch Tuesday

Microsoft released eight patches to fix 28 security flaws yesterday, including a critical flaw in the new search component in Vista and Windows Server 2008.

Of the eight patches, which will be the last released from Microsoft in 2008, six were described at 'critical' while the other two were listed as 'important'.

The Vista and Windows Server 2008 flaw featured an affected search component that was developed from scratch for those platforms under Microsoft's new edict to develop secure code. However it's thought the threat of exploit is low.

"It shows that even in the newer code that is highly scrutinised by the security teams at Microsoft and where developers are being held to secure coding standards you can still have problems," says Wolfgang Kandek, CTO of Qualys.

The patch entitled MS08-076 targets a set of vulnerabilities that when taken together can add up to a critical flaw, according to information Microsoft provided to antimalware vendors. It's similar to the seven-year-old flaw patched last month, which allowed a hacker to steal a password and use it to log on to a user's machine and gain control of the PC.

The crop of vulnerabilities also included another flaw in GDI, a component of Windows responsible for representing graphical objects.

"The exploit vector is very high," says Amol Sarwate, manager of the vulnerabilities research lab at Qualys. "You just have to view an image on a malicious web page. And since it is in the OS, all Windows machines are affected by default."

Paul Henry, security and forensic analyst at Lumension, says as a whole the group of patches represents "some serious issues that need to be patched immediately. It is incredibly difficult to prioritise them".

Thirteen of the 28 vulnerabilities were given the top rating on Microsoft's new 'exploitability index'. A ranking of 1 means that the vulnerability is an attractive target for hackers because they can create exploit code that could consistently exploit the vulnerability.

Microsoft Tuesday also released a security advisory to notify users that it is investigating reports of vulnerability in the WordPad Text Converter for Word 97 files on Windows 2000 SP4, XP SP2, Windows Server 2003 SP1, and Windows Server 2003 SP2.